Password Encryption

SAYMON can encrypt password and other sensitive information in configuration files and probe settings.

Encryption format

Encrypted values are stored in the following format:

<tags[0]><prefix>:<salt>:<encrypted_value><tags[1]>

For example:

"value": "<<crypt:db7676ec4c7624788349b75e43a3b6a4:1a67b106fabeadf2ac8458395c5e644d>>"

If the field’s value is surrounded with tags, but it doesn’t have a prefix, server will encrypt this field on the next restart.

If the value has both tags and a prefix, server treats it as an encrypted field.

If the value doesn’t have a prefix or tags surrounding it, SAYMON assumes this values isn’t encrypted.

Tags and surrounding prefixes can be configured in the Server configuration.

Configuration file encryption

You can turn on encryption with the server_config parameter of the server configuration:

"encrypt": {
  "server_config": true
}

Mark fields that need to be encrypted with tags (by default – << and >>):

{
  "cache": {
    "password": "testPass1"
  },
  "fieldToEncrypt": "<<testPass2>>",
  "openTsdb": {
    "host": "localhost",
    "port": 4242
  }
}

Restart SAYMON server to encrypt all marked fields as well as all fields named pass or password:

{
  "cache": {
    "password": "<<crypt:bd5ea51c5ee453220a2616645672e96b:1a67b106fabeadf2ac8458395c5e644d>>"
  },
  "fieldToEncrypt": "<<crypt:db7676ec4c7624788349b75e43a3b6a4:5602ae7b1a4a8ae8ea6cca845f5d4c5f>>",
  "openTsdb": {
    "host": "localhost",
    "port": 4242
  }
}

Tags and surrounding prefixes can be configured in the Server configuration.

Probe settings encryption

Probe parameters can contain sensitive information (like passwords). SAYMON can encrypt those fields.

To enable probe parameters encryption, set the encrypt.db parameter in Server configuration to true:

"encrypt": {
  "db": true
}

Following probes support parameter encryption:

Database query (DatabaseServerUrl parameter)
JMX probe (JmxPassword parameter)
FTP probe (FtpPassword parameter)

After setting this parameter, the values of the specified fields will be saved in the database as encrypted strings.

When a user receives JmxPassword and FtpPassword fields with the REST API requests, the values will be replaced with 4 asterisks (****). When a user requests DatabaseServerUrl parameter, only the DB password will be masked.

Server will return an empty string instead of the decrypted value if there is an error during decryption or encryption was disabled after those fields were encrypted.